Cannot Generate Key inside Javacard

[noumanqaiser]

Dear Philip, IsoApplet Team,

First of all Thankyou for this excellent piece of work, it seems people will continue to benefit from this applet for a while.

I have a J3R200 Javacard which I understand is a Javacard 3.0.5. I have a contact reader, and OpenSC, GlobalPlatformPro setup on my computer to interact with the card. (J3R200 specs are defined here: https://www.mwcardtech.com/product/J3R200_J3R180_JCOP4_P71_Java_Card.html ). I have coding for a while but I am relatively quite new to the world of smartcards and seem to have hit a roadblock when it comes to generating private key.

My end objective is to be able to create a private key on the card, Create CSR, sign the CSR externally using openSSL to generate the x509 certificate, and then import it back into the card. Later I would use the card to sign/decrypt data.

I followed all the steps in your Wiki(Many thanks for well written documentation).

I installed the isoApplet.cap file 0.6.1, also Initialized the PCKS15 structure, Post this when I try to create a key, I have hit a roadblock and cannot see to create a key.

When I run List algorithms, here is what I get:

C:\packages>opensc-tool --list-algorithms
Using reader with a card: Generic Usb Smart Card Reader 0
Algorithm: rsa
Key length: 2048
Flags: onboard key generation padding ( pkcs1-type1 pkcs1-type2 pkcs1 ) hashes ( none )

Here is when I run a dump:

C:\packages>pkcs15-tool --dump
Using reader with a card: Generic Usb Smart Card Reader 0
PKCS#15 Card [JavaCard isoApplet]:
        Version        : 0
        Serial number  : 0000
        Manufacturer ID: unknown
        Last update    : 20241020085115Z
        Flags          : EID compliant

PIN [User PIN]
        Object Flags   : [0x03], private, modifiable
        ID             : ff
        Flags          : [0x39], case-sensitive, unblock-disabled, initialized, needs-padding
        Length         : min_len:4, max_len:16, stored_len:16
        Pad char       : 0x00
        Reference      : 1 (0x01)
        Type           : ascii-numeric

Here is the error I get whenever I try to generate a key inside the card:

>pkcs15-init --generate-key "rsa/2048" --auth-id "FF" --label "myKey" --id "1"
Using reader with a card: Generic Usb Smart Card Reader 0
User PIN [User PIN] required.
Please enter User PIN [User PIN]: Failed to generate key: Card does not support the requested operation

Another attempt:

C:\packages>pkcs15-init --generate-key rsa/2048 --auth-id 01 --key-usage sign,decrypt --label "MyPrivateKey" --verbose
Using reader with a card: Generic Usb Smart Card Reader 0
Connecting to card in reader Generic Usb Smart Card Reader 0...
Using card driver Javacard with IsoApplet.
Found JavaCard isoApplet
About to generate key.
User PIN [User PIN] required.
Please enter User PIN [User PIN]: Failed to generate key: Card does not support the requested operation

When I list mechsnisms supported by my card here is the list:

C:\Users\Admin>pkcs11-tool --list-mechanisms
Using slot 0 with a present token (0x0)
Supported mechanisms:
  SHA-1, digest
  SHA224, digest
  SHA256, digest
  SHA384, digest
  SHA512, digest
  MD5, digest
  RIPEMD160, digest
  GOSTR3411, digest
  RSA-PKCS, keySize={2048,2048}, hw, decrypt, sign, verify
  SHA1-RSA-PKCS, keySize={2048,2048}, sign, verify
  SHA224-RSA-PKCS, keySize={2048,2048}, sign, verify
  SHA256-RSA-PKCS, keySize={2048,2048}, sign, verify
  SHA384-RSA-PKCS, keySize={2048,2048}, sign, verify
  SHA512-RSA-PKCS, keySize={2048,2048}, sign, verify
  MD5-RSA-PKCS, keySize={2048,2048}, sign, verify
  RIPEMD160-RSA-PKCS, keySize={2048,2048}, sign, verify
  RSA-PKCS-KEY-PAIR-GEN, keySize={2048,2048}, hw, generate_key_pair

Here are things I have tried(and didnt work)

1. uninstall/Reinstall the applet
2. Tried other applets supported by OpenSC like (GidsApplet) and PivApplet.
3. Tried PKCS11-tool but have run into similar issues.

My Question is, what is causing the pkcs15init key generation to fail, is there anything you would recommend to sort this?

Regards, Nouman

[philipWendland]

Hi, AFAIR you can set the log level with "OPENSC_DEBUG=9 pkcs15-init" (or multiple uses of verbose). Can you please post a log? It might contain sensitive data, your PIN, PUK, etc, so use dummy values.

[noumanqaiser]

HI Philip, Thanks for a prompt response,

I am attaching the log files when I try to initialize and when I try to create key with debug level 9, (There is no confidentiality issue as I am trying to learn use of smart cards in cryptography on a test setup).

Looking forward to your inputs. pkcs Initialization.txt

VerifyPin And GenerateKey.txt

[noumanqaiser]

Hi Philip, Have done some more research, it seems the particular variant of NXP chip used in my card (J3R200) does not seem to have on-card RSA key generation capability, I validated it by running a test with JCAlgTest.

https://www.fi.muni.cz/~xsvenda/jcalgtest/table.html

It seems from the table in the above link, J3R180 does seem to have key generation capability, while looking at the AlgTest Report I generated using JCAlgTest applet, J3R200 doesnt have this capability. I am attaching the report here aswell incase if someone else faces similar issue(I have also sent it to JCAlgTest so they can update their table with this card).

NXP_JCOP_J3R200_ALGSUPPORT__3b_e0_00_00_81_31_fe_45_eb.csv

So from the look of it, It seems I will have to buy a new card and continue my triails.

In parallel, I would really appreciate if you can guide me about if I what I am trying to achieve with IsoApplet/OpenSC is even possible(assuming no card specific restriction), I wanted to achieve the following:

1. Generate private key on Card, which is non exportable
2. Generate Certificate Signing request from card.
3. Sign the CSR outside using a CA certificate and openSSL, generate the certificate file.
4. Import back the Certificate into the card(so both public/private key are available inside).
5. Use the card for signing or Decrypting small strings using a .NET application on Android/Windows.

Are the above 5 steps likely to be achievable?